Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 22 May 2000 22:23:29 -0400
From:      "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com>
To:        Andre Gironda <andre@sun4c.net>
Cc:        Blake Matheny <matheny@bussert.com>, freebsd-security@FreeBSD.ORG
Subject:   Re: Firewall Rules
Message-ID:  <20000522222329.C36986@cc942873-a.ewndsr1.nj.home.com>
In-Reply-To: <20000522110814.A5867@toaster.sun4c.net>; from andre@sun4c.net on Mon, May 22, 2000 at 11:08:14AM -0700
References:  <Pine.BSF.4.10.10005221304510.8452-100000@arf.bussert.com> <20000522110814.A5867@toaster.sun4c.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, May 22, 2000 at 11:08:14AM -0700, Andre Gironda wrote:
> 
> Blake,
> 
> If possible, you should try to segment off those users, because I don't
> think there is a way with IPF or IPFW (or any firewall that I can think
> of) to block MAC addresses specifically.

Wouldn't it be possible to essentially dev-null all but a fixed list
of IP-MAC pairs? This would not be a deny list, but rather an accept
list and then a default deny. That may or may not be acceptable.

I believe this can be done by turning off ARP on the interface and
using arp(8) to build a static MAC-IP mapping of your own.

Just a pretty easy to do idea.

> On Mon, May 22, 2000 at 01:08:30PM -0500, Blake Matheny wrote:
> > Is there a way to deny by mac address rather than ip address? I need to
> > deny a group of computers (with static ip's) access to the internet, but
> > if someone changes their ip (with DHCP) it doesn't do any good. These are
> > windows boxes with a freebsd firewall, no policies on the computers and if
> > possible I would like to implement this only on the firewall level. Anyone
> > got any advice? Thanks.
> > -Blake
> > 
> > Blake Matheny
> > Bussert Consulting
> > Network Engineer
> > (765)423-2100
> > matheny@bussert.com
-- 
Crist J. Clark                           cjclark@home.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000522222329.C36986>